nevermind, I think I made some headway on this and will ask this over on the httpd list. Thank you for getting me this far, I really appreciate it.
On Wed, Aug 5, 2009 at 8:50 AM, Josh Gooding <josh.good...@gmail.com> wrote: > *Andre wrote: > > The above is assuming that you would want all accesses which eventually go > to Tomcat, to be under SSL from the client point of view. > The idea is : SSL creates an overhead (encryption). If the link between > Apache and Tomcat is secure (such as, they both run on the same host, or > they run on separate hosts, but both inside of your secure network), then > you do not want to have an additional overhead by encrypting/decrypting the > communications between Apache and Tomcat.* > > This is true. > > Next question then. Is there a way to make just the login page (login.jsp) > go through the SSL and nothing more? > > > > > On Tue, Aug 4, 2009 at 4:18 PM, André Warnier <a...@ice-sa.com> wrote: > >> Josh Gooding wrote: >> >>> Update: >>> >>> So after re-re-reading the docs, since TC is not my standalone webserver, >>> I >>> should configure Apache (httpd) for SSL. That seems to be what I am >>> reading. >>> >> >> Yes. >> >> Client -> SSL -> Apache -> Ap/To Connector -> non-SSL -> Tomcat >> (e.g. mod_jk) AJP Connector >> >> The above is assuming that you would want all accesses which eventually go >> to Tomcat, to be under SSL from the client point of view. >> The idea is : SSL creates an overhead (encryption). If the link between >> Apache and Tomcat is secure (such as, they both run on the same host, or >> they run on separate hosts, but both inside of your secure network), then >> you do not want to have an additional overhead by encrypting/decrypting the >> communications between Apache and Tomcat. >> >> Second point of interest : >> if, in the Tomcat <Connector> which accepts the requests from Apache, you >> set the attribute "tomcatAuthentication=false", then Tomcat will "believe" >> the user-id it gets from Apache, as being already authenticated by Apache, >> and will use it within Tomcat as the user-id. >> >> Now you have thus moved the authentication issue back to Apache. >> >> Let's forget SSL for a minute. >> Under Apache, you want to protect access to some or all areas of the >> server (including the requests which you are going to forward to Tomcat), in >> such a way that the user must be authenticated to access these areas. >> There are different methods under Apache to force the user to >> authenticate. If you want to do it via your own login page though, then you >> will have to find an Apache add-on module which allows you to do that, >> because it is not built-in. >> This, you should enquire about on the Apache httpd user's list. >> >> Let's now re-add SSL. >> >> In addition to the above, you would like the login dialog (login page and >> client response to that login page) to happen under SSL, and the rest of the >> conversation not. >> That is not so easy as it may sound however. >> So, when you enquire about a login page authentication method (on the >> Apache httpd user's forum), you should make sure that you specify this >> requirement clearly. >> >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >
